Application

Application

Software-based keyloggers

A logfile from a software-based keylogger

These are computer programs designed to work on the target computer's software.^[2] From a technical perspective there are several categories:

• Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual example.
• Kernel-based: A program on the machine 'gets root' and hides itself in the OS, and starts intercepting keystrokes (because they always go through the kernel). This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications who don't have root access. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware, making them very powerful. A keylogger using this method can act as a keyboard device driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
• API-based: These keyloggers hook keyboard APIs inside a running application. The keylogger registers for keystroke events, as if it was a normal piece of the application instead of malware. The keylogger receives an event each time the user presses or releases a key. The keylogger simply records it.
  • Windows APIs such as GetAsyncKeyState(), GetForegroundWindow(), etc. are used to poll the state of the keyboard or to subscribe to keyboard events.^[3] A more recent example simply polls the BIOS for pre-boot authentication PINs that have not been cleared from memory.^[4]
• Form grabbing based: Form grabbing-based keyloggers log web form submissions by recording the web browsing on submit events. These happen when the user finishes filling in the form and clicks on the "OK" or "Submit" or "Go" or anything that indicates that you're finished. This records form data before it is passed over the Internet. .
• Memory injection based: Memory Injection (MitB)-based keyloggers alter memory tables associated with the browser and other system functions to perform their logging functions. By patching the memory tables or injecting directly into memory, this technique can be used by malware authors who are looking to bypass Windows UAC (User Account Control). The Zeus and Spyeye Trojans use this method exclusively.^[5] Non-Windows systems have analogous protection mechanisms that need to be thwarted somehow by the keylogger.
• Packet analyzers: This involves capturing network traffic associated with HTTP POST events to retrieve unencrypted passwords. This doesn't work if you're connected with HTTPS - in fact it was this kind of attack they were fighting when they invented HTTPS.
• Remote access software keyloggers

These are local software keyloggers with an added feature that allows access to the locally recorded data from a remote location. Remote communication may be achieved using one of these methods:

• Data is uploaded to a website, database or an FTP server.
• Data is periodically emailed to a pre-defined email address.
• Data is wirelessly transmitted by means of an attached hardware system.
• The software enables a remote login to the local machine from the Internet or the local network, for data logs stored on the target machine to be accessed.

Most of these aren't stopped by HTTPS encryption because that only protects data in transit between computers; this is a threat in your own computer - the one connected to the keyboard.